Security Now – proxy servers

I’m a big fan of all the work put in by Leo Laporte[1] and his team at TWiT[2]. Over the years this has been an excellent source of all sorts of Tech News.
I listen to the Podcasts of several of the shows, and there are a fair few, on my iPhone on the way to and from work. Alas most days I am unable to make the NA West Coast timings of the live shows.
The iPhone has a useful feature that allows you to play Podcasts at 2X speed, which makes them a reasonable length and leaves the content perfectly audible.
The Podcasts I enjoy most are TWiT, TWiG[3], Security Now![4] & TNT[5]. Each has a specific focus and although all Tech overlaps a little the angle taken by each makes all the shows worth listening to. Highly recommended.

This week[6] (23/02/2011) Security Now, a show co-hosted by Leo Laporte and Steve Gibson[7] covered the topic of Proxy Servers.
Obviously this intersects my own interests greatly so I was intrigued to see how they covered the topic.US Show
The main difference between American and British attitudes towards the Internet are around Freedom of Speech and Freedom of Access. So proxies have a significant role in both locales but potentially very different priorities.
First, the UK. Here we tend to use proxies solely in the business/corporate environment. Here the principle is to limit access to only that really required for business and to protect valuable Business Resources, namely Bandwidth. Thus monitoring and reporting Web access and usage is an area of ever increasing importance. Along with identification.
This is also true in the US (I have enough colleagues in the region to testify to this) but a much greater emphasis is placed on the rights of the individual to their personal privacy. The same is true in wide areas of the EU.
Obviously another area that heavily use proxies to restrict access are Educational Establishments; schools, colleges, universities etc.
Additionally, in the US especially, a specialist type of proxy is used to circumvent individual identification, whether within a business or school or on the remote site.
All fairly straightforward so far.Open Proxies
Future entries on this blog will cover individual issues on proxy servers and the limitations and problems they produce. For now I’ll concentrate on the ByPass methods mentioned by Steve Gibson in the Podcast mentioned previously.
When you are on a protected networkall your web browsing is directed towards a Proxy Service that then retrieves the information for you and delivers it to your browser. That process is almost always monitored, logged and filtered. It is possible to record the exact user who accessed something at specific time. Also, most proxies have the ability to restrict access by site, user, content type, time of day, size or even the type of website.
So the individual is informed that this is happening and that they have restricted, monitored access, this is a legal requirement.
What happens with some more bullish and tech savvy users is they start looking for ways to circumvent these restrictions?
One such method is to use an Open or Anonymous Proxy service.
What these provide is discussed in Security Now but for the record they provide you with the ability to access a blocked site by intervening in a similar way to your business proxy. This time it is a webform in to which you enter the site you really wish to access and off the Open Proxy goes and retrieves the page. All the business proxy sees is that you accessed the Open Proxy.
Indeed, many common search sites such as Google provide a form of this via a “retrieve cached copy” option. (This only works for static content though, not dynamic sites or those that require logins – like Facebook or WebMail.)
Back to standard Open Proxies, you now have access to “Facebook” or “VirtuaGirl” and away you go.
It is not impossible for a business/school to block this kind of access but it is hard to keep up to date with new Open Proxies. Many proxy solutions have the ability to block Anonymous Proxies but these rely on lists that need constant maintenance.
There are several sites on the Web that provide lists of Open Proxies. But you will find these list sites are blocked by Business Proxies, that’s relatively easy.
The attraction of Open Proxies is obvious to those that want to “break the rules”, or don’t believe in rules. Another potential use is to hide your identity from the site. Not all sites with useful content are entirely innocent. Tracking users browsing habits is a big marketing industry and the use of Open Proxies makes this impossible. Some sites themselves deny access if you are using a proxy service for this very reason.
This is where, from an organisations point of view, the SaaS Web Security model is invaluable. With SaaS many customers are feeding into the solution thus far more chances of detecting new Anonymous/Open proxies.Major Disadvantages
The obvious downside to the use of Open Proxies is that all your data, in both directions, is fed and is readable by that “Man in the Middle”. All your passwords, logins, bank details (if you are that stupid) can be accessed by the owners/administrators of the proxy. Really that should be unacceptable to any of us without proper contracts and controls.
The use of such systems can be construed as misconduct by your employer/college.Major Advantages
Obviously in a scenario where you distrust the end system you can protect your identity.
If you are in an inappropriately oppressive regime (see recent events in Egypt[8]) then third party Open Proxies can provide valuable links to the Outside World even if global web blocks are affected.Conclusion
I abhor the unnecessary attempts to bypass business security especially as the vast majority of people have Smart Phones that can access the Web extremely effectively. Facebook is a proven productivity killer and corporations can be held liable for content that facilitate across their networks. The increased risk of data leakage (I have witnessed this) should not be ignored either.However, the usefulness in aiding discussion and organisation when the freedoms of all are threatened cannot be argued against. I’m not a Freedom nut (I don’t think I should have access to everything – fullstop) but there is a requirement out there.Recommendation
Useful but keep it out the office/college.
The debate[9] will continue…